The Terrifying Method Hackers Used to Steal Nearly 15,000 Tax Refunds From the IRS

Ever since Target announced a data breach following the 2013 holiday season -- one that compromised as many as 70 million credit and debit cards -- we've been learning about new breaches on a depressingly regular basis.

What this demonstrates is that criminals (specifically hackers) are getting more brazen and more sophisticated in their methods of extracting consumers' information, which can be used for a variety of illegal activities down the road. Be it a small company or a seemingly well-protected corporate giant, private data doesn't really seem so private anymore.

However, a breach announced this past week may be the most terrifying of all.

Continue Reading Below

ADVERTISEMENT

The terrifying method hackers used to steal from the IRSAccording to the Internal Revenue Service, a sophisticated group of hackers gained access to the personal information -- including Social Security numbers, addresses, and salary histories -- of 104,000 taxpayers between February 2015 and May 2015, allowing them to collect nearly 15,000 fraudulent tax refunds and costing the IRS about $50 million. Based on figures from the IRS, the hackers attempted about 200,000 breaches altogether.

What makes the breach really scary is how the hackers gained access to taxpayers' information.

The group of hackers accessed the IRS' database through a system known as "Get Transcript," a database that stores taxpayers' past tax returns. In order to gain access to your past returns as a taxpayer, you need your Social Security number, date of birth, address, and tax filing status. What this means is that the hackers involved in this scheme already had this information at their disposal. In other words, somewhere along the line, the personal information of hundreds of thousands of taxpayers (and maybe more) was compromised by these hackers. Therefore there's no telling for sure how much data was truly compromised, although The Washington Post says the IRS and state tax authorities witnessed fraudulent tax activity spike as much as 3,700% this year.

In response, the IRS has temporarily shut down access to Get Transcript, and it plans to notify all of those taxpayers who were affected by the breach (so start crossing your fingers now).

What the IRS is doing to protect your informationSometimes you have to appreciate what the IRS does to protect your information; other times you have to scratch your head.

In response to the breaches, the IRS is expected to beef up its security surrounding the Get Transcript app. Ultimately, this could mean requiring more information from users to gain access to past tax information. Of course, the drawback is that this would make the app less convenient for honest taxpayers, so finding the right balance is difficult for the IRS.

Those directly affected by the data breach will receive assistance from the IRS in the form of a personalized six-digit PIN that they'll need to enter when filing their taxes in the future. This will ensure that these individuals' tax filings are looked at more closely down the road in order to prevent fraud.

Source: Flickr user Frankieleon.

But the head-scratcher is that just the 104,000 people who suffered an identifiable data breach will be receiving a PIN to use when filing their taxes. The remaining 100,000 people (give or take) whom the hackers attempted to defraud will not be offered special PINs for future use. It's a bit worrisome, because it's obvious that the hackers still have personal data on these individuals.

What you can do to protect your informationAlthough the IRS and cloud security companies are tasked with the job of protecting your personal information, you may be able to take steps to help keep your personal data out of the hands of criminals.

For instance, if you're a resident of Georgia, Florida, or Washington, you're part of the IRS' pilot PIN program. These unique six-digit codes are required to complete the tax-filing process, and they're a great added security step to protect your information. At some point in the future the IRS would like to roll this program out nationwide, but it's still in test phases.

But there are other ways of protecting your information and your tax refund if you live in the other 47 states.

Source: Flickr user Maria Elena.

For example, be careful what you say on social media platforms such as Facebookand Twitter. Once you post something to a social media website, you should assume it's there forever. Thus, posting that you still haven't filed your tax return three weeks before April 15 (guilty here!) could be a tip-off to hackers that they still have time to use information they've gathered on you to file a fraudulent tax return.

Another important step for taxpayers is to stay on top of their refunds, which may not prevent fraud, but will help us spot it faster. The IRS allows taxpayers to track their refunds via the aptly named "Where's My Refund?" app. If you file electronically, you can begin tracking your refund within 24 hours of filing your return, and the information is updated every 24 hours. You'll need your Social Security number or taxpayer ID number, filing status, and the exact amount of your refund to log into the system. If you do notice something suspicious, alert the IRS immediately.

Source: Flickr user David Goehring.

Third, file your taxes as soon as possible. Thieves love waiting for the IRS to get bogged down with returns in April, and they can take advantage of taxpayers who are procrastinating. If you file early, you'll likely beat thieves to the punch.

Lastly, be careful where you log on. Public WiFi networks often don't have the same firewall protection that your home computer or business might have. If you log in to check personal account data, or even to pay a bill, on a public WiFi network, you could be exposing your personal data to a hacker who may be able to use it in the future to divert your tax refund into their account. It's best to handle all tax information at your accountant's office or under the firewall protection of the modems and servers in your home.

Sean Williamshas no material interest in any companies mentioned in this article. You can follow him on CAPS under the screen nameTMFUltraLong, track every pick he makes under the screen nameTrackUltraLong, and check him out on Twitter, where he goes by the handle@TMFUltraLong.The Motley Fool recommends Anthem, eBay, Facebook, Google (A shares), Google (C shares), Home Depot, Twitter, United Parcel Service, and Yahoo. The Motley Fool owns shares of eBay, Facebook, Google (A shares), Google (C shares), JPMorgan Chase, Twitter, and Yahoo. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.